In this example I’m simply going to sleep the request, but you might want to take increasingly more severe measures like sleeping for longer or requiring some form of test to prove the request is coming from a human.

I’m also hard coding the threshold and the interval period, but these are things you will want to adjust once you know the average failed requests for your application.

Adding Throttling to your Authentication

Finally we can add throttling to the authentication by creating a new row in the database whenever a request fails